Rewterz Threat Alert – Three Malicious PyPI Packages Discovered Using Crypto Miners to Target Linux Users – Active IOCs

Severity

High

Analysis Summary

Three new malicious packages with the ability to deploy a cryptocurrency miner on Infected Linux devices have been discovered in the Python Package Index (PyPI) open-source repository. The packages are named modularseven, driftme, and catme and have been downloaded 431 times in total within the last month before they were taken down.

The packages deploy a CoinMiner executable on devices running the Linux operating system. The campaign shares an overlap with a previous campaign that used a package called culturestreak to deploy a crypto miner. The malicious code is within the __init__.py file that can retrieve and decode the first stage from a remote server. It is a shell script named “unmi.sh” that receives a configuration file for the crypto mining activity and the CoinMiner file from GitLab.

The ELF binary file is executed as a background process by using the nohup command, which makes sure that the process continues to run even after exiting the session. These packages hide their payload to evade detection by hosting the malicious code on a remote URL. The payload is released incrementally over several stages to start its malicious activities.

The attribution to the culturestreak package also comes from the fact that the configuration file is hosted on the same domain and the coin mining executables are found on a public GitLab repository. One notable upgrade in the three new packages is an extra stage that is added by concealing their malicious intent in the shell script, helping it to avoid being detected by security solutions.

The malware is observed by researchers to add the malicious commands into the ~/.bashrc file. It ensures that the malware remains persistent and can reactivate on the compromised system and extends the duration of its operation. This strategy helps in staying stealthy and prolongs the exploitation of the device for the benefit of the threat actor.

Impact

• Cryptocurrency Theft
• Financial Loss

Indicators of Compromise

MD5

• 91420762292cddfcf9e2ad552de41518

SHA-256

• df0211bf54174b5766366eecfb0a04c4a59346478e1507b6685fbaed6b2d2aca

SHA-1

• 5ef904a0cc9bdcd49f57ac95f1d17686a78d6299

URL

• https://papiculo.net/unmi.sh
• https://papiculo.net/unmiconfig.json
• https://gitlab.com/ajo9082734/Mine/-/raw/main/X

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Regularly review the dependencies of your open-source projects and consider using package-lock files or version pinning to ensure that you’re using trusted and verified packages.
• Use automated security scanning tools to analyze dependencies for known vulnerabilities or suspicious code.
• Provide training to developers and team members on secure coding practices, the risks of third-party dependencies, and the importance of code reviews.
• Implement access control measures on your code repositories to restrict who can contribute or make changes to the codebase.
• Maintain regular backups of your critical data to ensure data recovery in case of a security incident.
• Use antivirus and intrusion detection systems to help identify and block malicious activity.
• Implement network segmentation to limit the spread of malware or malicious activities within your network.
• Enforce strong password management practices for your systems and accounts.
• Implement MFA wherever possible to add an extra layer of security.
• Properly evaluate the Python code that you download before installing it onto your system.